cookies and javascript

Anon

HI all

I set a cookie up and it gets set when the users password matches the one in the database.

My problem is that anyone who uses
javascript:alert(document.cookie) can see not only the name of the cookie but also the value of it. Is there anyway i can so that the value of the cookie is hidden or randomised.

The passwords in the database are not encrypted so i cannot use an encryption module.

Anyone got any good ideas

Gary

Anon

Read Tim Perdue's column in which he discusses authentication and security. Following Tim's suggestion, I am setting a PHP session variable that contains an MD5 hash of the user's ID concatenated with a secret system passphrase. The result is a 32-bit value expressed as a hexadecimal string, about as unreadable as you can get.

My checklogin() function then constructs the same value and compares the constructed value with the session value to ensure that no tampering has taken place.

Source code is at http://stonemountain.yi.org/

Anon

The passwords in the database are not encrypted

Steve's suggestion is great, and while you're at it you might
take a look at fixing this problem, too--md5 hashing them
is a great security enhancement.